Thanks for your reply! The user list is stored in a text file. Eldad
On Thu, Jun 25, 2009 at 12:08 PM, Sean Conner <s...@conman.org> wrote: > It was thus said that the Great Eldad Chai once stated: > > Hi, > > > > I am using Apache reverse proxy. > > > > I want to perform the following and wondering if it is possible: > > > > 1) Extract a field (Subject Name) from a client certificate sent > over > > SSL and compare it to a local list I have > > > > 2) Add parts of the certificate to headers or parameters in the HTTP > > request to the backend server > > 1) How is the local list stored? My current configuration on my secure > server for client certificates looks like: > > <Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library> > SSLRequireSSL > SSLRequire %{SSL_CLIENT_S_DN_O} eq "Conman Laboratories" \ > and %{SSL_CLIENT_S_DN_OU} eq "Clients" > SSLVerifyClient require > SSLVerifyDepth 10 > </Directory> > > Translated: This directory requires a certificate with an organization of > "Conman Laboratories", with a department of "Clients" can access, > otherwise, > fail the request. I'm sure there are other methods, but I haven't > investigated them. > > 2) I'm guessing something based on the following (I haven't played around > much with web proxies, but this might get you on the right track): > > RewriteEngine On > RewriteBase /wherever > > RewriteRule ^(.*)$ > proxyrequest?user=%{SSL:SSL_CLIENT_S_DN_CN}&group=%{SSL:SSL_CLIENT_S_DN_OU} > [PL] > > Basically, you can use any of the SSL environment variables [1] can be > passed as part of a URI (CGI scripts will find them as environment > variables). Hope this points you in the right direction at least. > > -spc > > [1] A bunch are listed here: > http://httpd.apache.org/docs/2.0/mod/mod_ssl.html > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >